/bin/login gives root to group utmp

Thanks for the heads-up. I've uploaded the patch to the security queue,
and it is building now. It should publish shortly.

Can you please explain what is the holdup in publishing the updates?
(Debian is also delaying the release: are those related?)

Why is this bug marked private, when the Debian bug is out in the open?

Thanks, Paul

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Published as: http://www.ubuntu.com/usn/usn-695-1

I belatedly realize that the Debian etch fix still allows for a DoS attack; I am not
sure if the Debian sid fix, or the Ubuntu one, are any better.
I do not yet know whether the DoS attack can succeed without group utmp access,
please see
  http://bugs.debian.org/505071
  http://bugs.debian.org/505271
for details.

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Thanks for the note. Since there are lots of ways to do a local DoS, we'll wait to see how this is handled upstream.

Even now, at shadow version 4.1.3, there are DoS issues with securetty,
and bypass/trick of pam_time, pam_group checks. Please see
  http://bugs.debian.org/505071
for details.

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Both login and newgrp leak a file descriptor to /etc/shadow, please see
the see the Debian bug report
  http://bugs.debian.org/505071
for details.

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia